Home

Description

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.

PUBLISHED Reserved 2025-12-06 | Published 2026-05-10 | Updated 2026-05-10 | Assigner php




HIGH: 7.4CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/AU:Y/RE:M/U:Amber

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
affected

8.2.* (semver) before 8.2.31
affected

8.3.* (semver) before 8.3.31
affected

8.4.* (semver) before 8.4.21
affected

8.5.* (semver) before 8.5.6
affected

Credits

Aleksey Solovev (Positive Technologies) finder

Nikita Sveshnikov (Positive Technologies) finder

Ilija Tovilo remediation reviewer

Arnaud Le Blanc remediation reviewer

Saki Takamachi remediation developer

References

github.com/...hp-src/security/advisories/GHSA-w476-322c-wpvm vendor-advisory

cve.org (CVE-2025-14179)

nvd.nist.gov (CVE-2025-14179)

Download JSON